A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
Practicing Zero Trust and Adopting Assume Breach

Practicing Zero Trust and Adopting Assume Breach

In this episode, host Raghu Nandakumara sits down with Chase Cunningham, former Forrester analyst and “Dr. Zero Trust,” to discuss the evolution of the Zero Trust framework and what organizations get wrong when mapping out their Zero Trust strategies.


0:00:04.1 Raghu Nandakumara: Welcome to the Segment, a Zero Trust Leadership podcast. I'm your host, Raghu Nandakumara, head of Industry Solutions at Illumio, the Zero Trust segmentation company. Today I'm joined by Dr. Chase Cunningham, also known as Dr. Zero Trust, chief Strategy Officer at Ericom Software and former Forrester Analyst. As the Chief strategy officer for Ericom, Chase is responsible for developing, leading, communicating, executing, and maintaining the corporate strategy. In his role, he functions as a servant leader, strategic thinker and doer, ensuring that execution strategies support the overall vision of the company. Prior to his role at Ericom, Chase was VP and principal analyst at Forrester Research where he focused on security operations center planning, counter threat operations, encryption, network security, and zero trust concepts and implementation. Over the years, Chase has also held various threat research and intelligence roles with organizations like Armour, Accenture, and the National Security Agency. Today, Chase is joining us to talk about the evolution of the Zero Trust framework, how to get zero trust right, and what organizations get wrong when mapping out their zero trust strategies. Everyone loves a good origin story, right, so let's hear the Dr. Zero trust origin story.

0:01:09.1Chase Cunningham: I tell people like, and I'm not joking, I'm super lucky to have had any success in life or in cyber at all, just because it's a constant, bumbling into luck and having good people around me. I joined the Navy as a diesel mechanic. I had nothing at all to do with computers, whatever. The way that I got into cyber was totally by accident.

0:01:31.1 Raghu Nandakumara: Nice, nice. So right, like this is the Zero Trust podcast, so we're gonna end up talking about Zero Trust, right. What was your exposure to Zero Trust - was that very directly related to what you got up to at Forrester or were you exposed to this prior to that as well?

0:01:48.5 Chase Cunningham: After I did all my cyber and crypto stuff in the military and then I went to do stuff for the government, I actually taught, and wrote curriculum for computer network exploitation, which was the government's way of billing for really expensive stuff when you're doing red teaming. So I did red teaming in the government space for quite a while and when I was talking with John Kindervag, who I had known, when he was still at Forrester, he was talking about the ZT thing and at the time I was like, okay, sure, whatever it sounds like marketing shenanigans 101, cool, blah blah. And then I came to Forrester and I was actually, I would say pissed off that they said, Hey, you're gonna pick up John's dirty underwear and do this ZT thing. But when I started looking at it from the perspective of if I was a bad guy or a red teamer, would these concepts cause me, you know, to quit and go find another target? And they would, all of a sudden the light bulb went on and I was like, okay, John was on to something. So I just went at it. But I did like, I seriously argued with my boss, Joseph Blankenship and other people at Forrester like I... Please don't make me do something someone else has already done 'cause I don't want to be second fiddle in whatever. But it turned out to be a good, you know, good use of my time.

0:03:01.9 Raghu Nandakumara: Yeah, absolutely. And I would say as kind of a practitioner, right, I'd say that sort of John Kindervag sort of laid the foundations for sort of the modern definition of Zero Trust. I would say that you more than probably anyone else did most to really take that mainstream. So how do you now feel that this sort of, this baby that you nurtured is finally starting to walk on its two feet?

0:03:30.3 Chase Cunningham: To stumble along.

0:03:31.9 Raghu Nandakumara: I wouldn't say snowball yet, but at least walk on its two feet.

0:03:35.5 Chase Cunningham: It's good that there's folks that see that there's value to a strategy that makes sense. I'm sick and tired of hearing people bitch and moan about the, the buzzword and whatever else and all the hateraid that comes along with it. 'cause to me, I'm actually literally, I'm, I'm working on a blog right now about like, look, if you don't buy what we're selling and you don't think this makes sense, please continue being stupid in doing what you're doing and you're gonna be the one that's the slow gazelle. Like go ahead. I am to the point now just with, if there's this massive market moving and all this adoption and I'm... I had calls yesterday with people in Argentina, I'm going to speak in in Columbia next month on ZT. If the whole world thinks this is a real thing and you, the haters don't, fine, be a hater and let me know when you get your ass handed to you and then come talk to me about ZT.

0:04:26.7 Raghu Nandakumara: So yeah, I'm in agreement, right? Otherwise we wouldn't be doing this, right? So what is the... And like you look around, right, and you sort of say, okay, what was the tipping point, right? Because there was enough in terms of the actual premise behind why, like why Zero Trust, right? It's common sense, right? But it's taken forever for people to almost reach that level of common sense. What was the tipping point in your opinion?

0:04:56.5 Chase Cunningham: I think COVID was the gas on the fire that was needed because there was such a move to figure out really quickly how to keep businesses up and running. And then how to also not just kind of open the door writ large and go, I hope we don't get powned, you know, to the nth degree that there was enough people that kind of had to an opportunity, a crisis, an opportunity, right? Crisistunity to kind of step back and go, okay, we can do something different and here's how we can do something that makes a little bit more sense because obviously we had proof, on Pong proof that the other model didn't work and now with remote and all the other things that we're seeing, and I think I read a paper this morning about how hybrid is kind of been accepted now is the way that work's gonna look like, you know, maybe not everybody has to be in the office unless you work for Musk or whatever the hell's going on over there. And the rest of us can kind of, you know, live like humans the... That reality requires us to have that sort of approach and ZT just happened to be in the right place at the right time with technology that evolved to enable that thing.

0:06:03.2 Raghu Nandakumara: Yeah, absolutely. And 'cause... And... And I think also do you think that not just sort of COVID and the move to hybrid work, etcetera, right? But do you think it was also a greater realization of what that threat landscape now looked like, right. And sort of, and I know you talk about how ZT almost equates to Assume Breach or actually vice versa. Assume Breach is the fundamental on which ZT is then the answer.

0:6:34.4 Chase Cunningham: Yeah, I mean, it's funny 'cause that used to be such a sticking point for people to be like, accept that you already have a compromise. Oh no, no, we're, that's not a thing and that we're not compromised and there's no, we have millions of dollars into this. And it's like, oh, I mean, okay, let me write this down 'cause you'll be, you know, pinging me in six months and now that, that seems to be, you know, it's not a knock on a person or something, it's just the reality of the space. So accept it and then align your resources around it to work your way past that problem. It doesn't have to be... I would say it doesn't have to be a negative really, if you think about it differently. And it, you know, the other haterade that's so, you know, all over the place right now is, well this is not new. Correct. It's not new. This is an evolution and a maturation of something that makes a lot of sense and it's made sense for a long time. Like you said, people just ignored it 'cause people are, I don't know, people, we suck in general.

0:7:33.9 Raghu Nandakumara: I think you actually... It it was on... It was on your LinkedIn or Twitter recently where I think you put something up, something along the lines of there is no patch for human stupidity or something along those lines. But sorry to misquote you if I did, but I'd like sort of just, I know our listeners are gonna be experienced sort of security professionals and they'll have heard Assume Breach, they'll love heard of Zero Trust, right? Just lay it out, right? Why does... Why is Zero Trust the natural answer to an Assume Breach? Sort of, if the question is Assume Breach, why is Zero Trust have to be the answer?

0:8:10.8 Chase Cunningham: If you look at the, the what is required. So let's flip the script for a second and say we're not worried about defense. Let's just say we accept that there's a compromise. Okay, done. Now what do we not really want to have happen? I want them not to be able to stay in my network or my environment. I want them not to be able to move around. Like it's, if someone breaks into my house, that's a problem, but I don't want you moving in and living with me. So, you know, let's be real about that. If we accept that that's what we're trying to do, what does the bad guy need to succeed in that manner? They need trust relationships from within systems. And John says it all the time, trust of the human emotion, we've built it into computers. If you remove the trusted relationships, it's not that there's gonna be zero trust, it's that they're going to have manageable risk based on trust relationships and that... That makes the bad guy's day really hard. Like that's... That's what we want. That's where it is. I'm not... You're not... You're not gonna never have a breach, you're not gonna have a compromise. You're not gonna have... And, I agree with folks, they'll say well there's no such thing as zero trust. Correct. Just like there's no such thing as zero body fat 'cause you'd die, but you try and get really low.

0:9:24.2 Raghu Nandakumara: Yeah, yeah, 100%. And I think the sort of something that you said just there right, is about make life difficult for the attacker, right? I think we're getting better at that approach, but still, I think too often we don't approach building security controls from that perspective, right? Like, again, like your thoughts, like why, 'cause it's just so natural, right? Make it difficult for them, they'll go somewhere else.

0:9:52.5 Chase Cunningham: It's people trying to defend their position at the company in the wrong way. I mean, you got CISOs now which have got their seat at the table and great and that's super awesome and whatever. But I mean the reality of it is they're typically trying to justify their position at a company and telling folks that they're gonna be perfectly defended or whatever else. Instead of that real conversation about like, look, what I'm doing is going to exponentially reduce our risk and that's gonna make this more manageable and we can keep uptime going and whatever else. I have yet to run into a single workshop with a client that has been about the technology piece of ZT, it has 100% been about the leadership issues that you faced there.

0:10:32.9 Raghu Nandakumara: Yeah, exactly right. And I kind of sort of... Some blogs where I was reading last week, around how Zero Trust is... Or adopting a zero trust strategy is so much about that cross-functional buy-in, right? More... Way more than it just being a security program for the security organization, right? So for organizations that are adopting Zero Trust is, would you say there are anything where an organization is doing zero trust wrong? Or would you say that anyone who's doing zero trust should be credited?

0:11:07.3 Chase Cunningham:No, I think... I think there's a way to do it wrong. If you're not understanding where you're starting and you're not having a very real conversation about the things that are most important and working your way outward from there, like we've talked about for a long time, then you're missing the forest for the trees. Personally, my methodology and anyone that I engage with is, the first thing that we're gonna do is maybe it's not a real world red team, but I'm gonna throw a scenario at you and then I'm gonna sit there and watch and see what happens. Because until you've been through the stress of that situation and you've actually had your feet to the fire, it's all pontification. You know what I mean? If the... If the reality of security is to make us survive past a breach, which is one of those oh my god moments, then we need to react based on what will actually occur. And I... I've had so many companies that have said, we're ready and I go in and drop the the situation folder in front of 'em and then you watch the heads roll, the arguments happen, the people running out of the doors and it's like this, this is where we begin. I can, this problem is solvable. This is a management leadership issue. Technology, that's gravy baby. That comes later.

0:12:15.4 Raghu Nandakumara: Yeah, yeah, yeah. 100%. So how does an organization do this right? Right. Well, what is the... What is the playbook that they need to adopt to do zero trust, adopt a zero trust strategy, be successful with it, be able to measure it? Let's unpack that.

0:12:31.3 Chase Cunningham: Well, I think the first thing is... Is like I say, is put your feet to the fire and understand from not just the security team's perspective, but all the way up and down as much of the food chain you can get involved. Like what would actually go bonkers when something does occur so that that way you've at least experienced the misery that will come. So that's an organizational piece. The second thing I think that is critical is having a really good understanding of the totality of assets that's touching that enterprise, that network, whatever, because I can't defend what I don't know about. And then mapping your controls based around those gaps that you see. If you... If you think about it from the perspective of the... The general on the top of the battlefield, right? And I can look out across everything. If I can do that, I can vector resources to plug the gaps. I don't wanna be underground and then looking up and going, geez, I really hope I'm putting the right things in the right place on this battlefield.

0:13:25.3 Raghu Nandakumara: And for organizations that sort of start this journey, right? Where is... Where do they commonly come unstuck?

0:13:33.4 Chase Cunningham: Usually they go too big, too fast. They'll say, actually it's a good example. I was working with a bank, a large one, and they said, well we're gonna do ZT for users. I was like, cool, super great. I think that's positive. And they said, we're gonna roll it out and we're gonna start with 5000. And I was like, whoa, whoa, that's not small. And they said, oh, well we're a global bank, whatever. I was like that's not small. And they said, okay, well what number should we start with? And I said, five. And they were like, five? That's... That's not even worth our time. And I said, well, if I breached five people at your company, would that wreck your shop? Okay, fair. So, and then if you get it right for five, you do it for 10, and if you get it for 10, you do it for 50. And then you... You know, you roll, like, you sharpen the blade based on grinding it against the metal rather than coming in swinging and think you got it right.

0:14:23.2 Raghu Nandakumara: But how do you pick the five? Right? Did you say, Right, pick these specific five that meet these profiles or was it, alright, let's start small.

0:14:33.5 Chase Cunningham: Right. For me it's about who would be... If you're gonna pick those five individuals, who's got the most admin access in a system, those five, those are the people I wanna focus on first. And if they come back and go, well, one of 'em is the CEO okay, well we have a real issue there. Why the hell is the CEO got admin access to things.

0:14:50.0Raghu Nandakumara: So like, there'll be folks listening in here and thinking, right, okay, what can I... What are those little pearls of wisdom that Dr. Zero Trust is gonna shower us with? Right? Right, it's because I'm struggling with this Zero Trust strategy. So what would that be at this moment, based on what you've been seeing happen? What's like, here's my pearls of wisdom.

0:15:13.5 Chase Cunningham: I think the biggest thing is treat cyber security just like you treat the other pieces of your business. How many times have we been in a meeting with the CEO and they say something along the lines of like, "Everybody's in sales at this company." And does anyone stand up and go, "Screw it, no way." You're engaged because you're part of that organization and sales is critical to the business success. Guess what? Cyber security is the same way. So talk to people like they are part of it and they need to be engaged. And on top of that, I think you should also quit investing in solutions that are not technical controls because this is a technology fix and treating people like they're pieces of gear is stupid and you won't get the return on it. It's a great thing for investors and it's good for the VCs, but put them up there. Find me an organization that has trained themselves out of no compromise, and I'll bring in some folks that will wreck shop real real quick.

0:16:18.3 Raghu Nandakumara:You started talking about vendors, and vendors have for sure have jumped on the Zero Trust and a way before the practitioners did. What is it that vendors have done to, I'd say, corrupt the Zero Trust market?

0:16:43.1 Chase Cunningham: Well, I think it's a couple of things. Number one, obviously they ran with a lot of it of, "We did X, so where's ZT now? Wait a minute, there's more to ZT than that, there's no button and there's not a product for it," so that's been one. And then they market it. It almost seems like the ones that were more egregious than doing that, marketed it even harder. They were like, "If we're gonna be this, we're gonna double and triple down until somebody calls us out," which they... That's your strategy, whatever. And the other piece is, the move towards platform, which has been paid by all this stuff. Yeah, I call it the Walmart of cyber security, by all this crap that's on our shelf somewhere, and I swear to God, if you buy enough of it, eventually it'll all work together magically, and you'll have the Lego house of your ZT thing, and we'll sell it all to you in one fell swoop. And it doesn't work, it's not... There's portfolios, and there's a very, very few platforms that are in this space, and that's been what's gotten it most off-kilter in my opinion.

0:17:39.4 Raghu Nandakumara: So what's like your message to vendors and Zero Trust is an important port initiative for vendors to play into, what is your message... What is your message to them? What do they need to do more to actually encourage Zero Trust adoption in their customer base?

0:18:09.4 Chase Cunningham: Well, I think one is just lead with the understanding that the reason somebody's engaging you in a conversation about ZT is because they're asking a strategic question. So be able to answer the strategic question with a strategic value proposition. That is super valuable. And the other thing that I get people on all the time when I do advisory with vendors and whatnot is, I ask the vendors like, "Tell me where you're at in your Zero Trust journey? What are you guys doing for your own ZT?" Usually, I get crickets or a lot of looking around. If you're not doing ZT yourself, why in all of God's wisdom would I buy your shit to do ZT for me? If you don't how to drive, don't tell me how to move my race car.

0:18:54.3 Raghu Nandakumara: A 100%. 100%. So I know you're involved with the Zero Trust demo forum, what is that doing from providing a platform for vendors but also providing for the end users, for the consumers? What is that enabling that sort of, let's say other similar organizations are not?

0:19:17.2 Chase Cunningham: Yeah, so part of the problem is, if you're gonna get what I would call good jury content on vendor technologies is you've gotta do a lot of bird dogging and yourself, and that can be time consuming. So what we've kind of done with the demo forum is to say, "Let's go drive the vendors that have a valid claim here, have them talk about the stuff, do some thought leadership and then literally demo their system." And yes, it's a vendor demo, but it's a demo so that an end user can go look at that and go, "Okay, I really wanna see, this X problem being solved. These guys have got really good technology, it seems. Let me go listen to them talk about it. And then, by the way, I can see what that solution actually does." And that to me, from the perspective of this, the research side is it makes it where the end user has much fewer steps to jump through to get really good intelligence on what's going on with the vendor space.

0:20:12.8 Raghu Nandakumara: And is the focus there? And just want to understand this a bit more, 'cause you talk about use cases. And we haven't really spoken about that, and what you're saying here is, is that it's very much specific use cases that Zero Trust enables and being able to showcase that as opposed to a generic, Oh, we enable you to sort of accelerate your Zero Trust journey, and so is the focus on very targeted use cases?

0:20:42.2 Chase Cunningham: So it's around use cases, and it's also around taking the vendor space and carving up the capabilities into the pillars of the framework. And that way, if I'm... I like I said earlier, there's not a whole lot of platforms, there's some solid portfolios. If I'm looking for the vendor that does, cloud access management it, whatever that is. Just pick your random super cyber ZT term, they do cloud access management or or something. I can go look at this and I can go, "Okay, these are the vendors that have those capabilities." There's five or six of them that actually do that thing, I should look at five or six instead of 247. I think I looked today and added it up and there was 2731 vendors in cyber security. That's crazy. We're talking, I think the numbers that Richard Sternan and put out were $60 something billion in the market like that's phew.

0:21:39.2 Raghu Nandakumara: So actually, just on that right, the vendor sprawl that exists today, do you see... And you kind of spoke about portfolio versus platform as well, do you see this... Or looking into 2023, do you see that there will be kind of coming the formation of true Zero Trust platform? So vendors looking at a true Zero Trust platform scope and building that interconnected set of acquisitions or homegrown products. Do you see that as being real or we still got to see vendor sprawl at least for the next 24 months?

0:22:19.5 Chase Cunningham: I think for a variety of reasons, we're gonna see a consolidation of a lot of that space. The recession is gonna do part of it. We're having the economic headwinds and whatever else that's gonna drive a lot of that. I think we've also kind of saturated the market on interesting, new, cool, sexy things, we've seen a slow down in that space as well. And APIs now are so good that it is valid to take a portfolio of capabilities and mush them into the operational platform you're looking for. And that's actually the really valuable thing I think is if I can say, I wanna use these guys that are really good at this, and these guys that are really good at this. I don't wanna buy it all from them, but I wanna make them cooperate and collaborate together to give me maximum output, that's where the platform side of this actually does become a thing. And it's kind of a home-grown side of it, but it's because of the APIs that are part of that integration.

0:23:18.0 Raghu Nandakumara:Yeah, I agree, and I think we've had this conversation before about really bringing together, and you've been a huge promoter of this consistently, is about bringing together the best of breed technologies, but being able to almost unify them in a single control plane. And as you said, a lot of that is very much home-grown. You've gotta be serious about wanting that and then building that.

0:23:44.7 Chase Cunningham: Yeah, I think you can get towards a semblance of that. And the other piece of the use case conversation is there will always be, for different businesses and different verticals, there will always be that one use case that requires them to have a best of breed, whatever, which is fine. That's your most critical thing, that's your radio active by all means, get the Lamborghini of that stuff. But for the workforce side of this, that's where this other approach, in my opinion, makes the most sense. Funny enough, when you're talking about Lamborghini, everybody forgets Lamborghini started out as a tractor manufacturer.

0:24:25.1 Raghu Nandakumara: Yeah, exactly. Well, the only Lamborghini I have is the one that my son made out of Legos, and believe me, that took us six months to finish. You kind of alluded to the macro economic conditions, you spoke about ROIs, so let's talk about that for a bit. At a high level, how does adopting a Zero Trust strategy deliver ROI? Or how do you show ROI for adopting Zero Trust?

0:24:56.4 Chase Cunningham: So I think one of the best ways that I've seen working with organizations is really what they get rid of as they move towards a strategic side of things. I've worked with organizations that have had at least two, if not three, similar solution, solving similar problems that have been implemented by new teams over time. I think the most interesting one was somebody that had three IAM solutions all doing the same thing, and it was like, "Well, which one is the best?" "So, here we go, let's bring that in." The years before this were lots of knee-jerk responses to the new needs, new problems, new risks, new threats. Okay, we've kind of saturated a lot of that, now the next thing is to go off and go, "What actually meets the needs? What enables my strategy? Let me whittle away some of the crap that I don't need," and then that budget frees up for other things. And any time you have a conversation in the business with, "I freed up budget," all of a sudden people start smiling. You don't wanna be asking for more but you're good to say, "I'm willing to sacrifice some."

0:26:00.2 Raghu Nandakumara: But in your experience of leading a lot of Zero Trust initiatives, when is that ROI often realized? Because I assume that it's... You may have a hint of it being realized up front, but actually seeing it in the flesh is a way into the cycle, so when is that often realized?

0:26:24.2 Chase Cunningham: It'll be a while into the process. The good thing is you can scope it out and kinda have, I would say almost a predictive budget that you can go back and kinda say, "As we migrate, Year Zero to Three, here's what's gonna go away, and here's where that budget's gonna free up." 'Cause we know what stuff costs, and then you can begin to go, "This year, I'm gonna free... " It's the reverse of your budget, it's like what you did to get this stuff, now you're just off-loading it and you can say predictively what you're gonna free up.

0:26:54.7 Raghu Nandakumara: And I guess that's the whole scoping of the Zero Trust program is so important part of that, so that you don't over-scope at the beginning and thus under-resourced to execute.

0:27:08.4 Chase Cunningham: Scope pre- you alive. And that's why I think it's so critical to really have the leadership conversation in the planning before you begin to go down that, 'cause you don't... Don't confuse tactical execution with strategic value, and a lot of people do that. "We did this. Okay, cool. What's next?" That's tactical execution. Strategic value is, "I'm marching towards this thing, what tactics do I do that will enable me to keep that march going?"

0:27:36.4 Raghu Nandakumara: Yeah, and I think that's the... I love the way you express that, because I think that's the bit that people miss when they are trying to execute a Zero Trust strategy. That they have that strategic goal, but what they lack is actually the tactical steps that they need to take in order to achieve that, and then hence, they never see the return on their investment or they never even make the first step because they're just considering the big picture. So moving on a bit, let's think about Zero Trust in and how regulators, government bodies, etcetera, are starting to really sort of push for the adoption of Zero Trust strategy. There's of course, the Biden-administration sort of EO is obviously sort of world famous now, I'd say.

0:28:32.2 Chase Cunningham: It was a watershed moment.

0:28:34.5 Raghu Nandakumara: A 100%, but it's been about 18 months since it got issued. Where are we in terms of actual progress against that?

0:28:44.3 Chase Cunningham:In October of 2022, the federal government finally formerly established a DoD Zero Trust Program Office, and that was... Any time the DoD sets up a program office that's something. On top of that, they allocated about a billion and a $1.1 billion to that office and said, "Go off and enable ZT." So in government speak, that's pretty fast, 18 months to get towards a PO with a lot of money allocated to it, is fast-ish and they're starting to put things in place. Without getting myself in trouble, I've been engaged in some of the conversations with some of those organizations and there's movement going on, but they're sticking to the strategy that they outlined in the DoD Zero Trust document that was published in the 23rd of November. So they're doing what I think is the right thing, sticking to their guns and moving forward, it's gonna be a slog. What everybody kinda read through that strategy document, they said, "Oh, the DoD says they're gonna be ZT by 2027." That's not at all what they said, they said that they're gonna be in a state of Zero Trust by 2027. If you read through the whole thing, it actually talks about that they won't be in an operational full compliance state till 2032, and that's early. So that's a very realistic timeline, in my opinion.

0:30:10.5 Raghu Nandakumara: And do you think it's a program that has got sufficient momentum behind it, that it's gonna lost the course, or is it still too early to say?

0:30:22.2 Chase Cunningham: I think it's pretty early to look in a crystal ball, but I do think that the way that they've changed the incentive structure, they went from a lot of stick to a lot more carrot, is gonna drive that forward. Because whether you're gonna get a lot of value out of it and the conversation already happening is that they've got the beltway bandits that are just clamoring and circling like Sharks with blood in the water to come help make that happen. And that's how things get done in government is when you got the beltway bandits coming along and making it actually happen. If you relied on the DoD to do it themselves, the sun would burn out before anything got done.

0:31:02.0 Raghu Nandakumara: Beltway Bandits, first time I've heard that but I get it straight away.

0:31:06.9 Chase Cunningham: I live near the beltway, so I see them all day.

0:31:11.8 Raghu Nandakumara: And I guess the whole reaction of other regulators and other government organizations like the TSA, for example, issuing of security directives to these LNG operators is a direct manifestation, a direct follow on from the EO, but also threats to critical infrastructure. And that again, is probably the threats are not a good thing, but they're acting is a good forcing factor for the adoption of Zero Trust.

0:33:44.5 Chase Cunningham: Yeah, I tell folks, I don't even care about the threats really. If you spend all your time worrying about the next sexy, cool Russian exploit or whatever somebody is gonna steal from NSA and release to the Open Internet, it's an exercise of utility. Really what you should be doing is looking at what we talk about in ZT, what the fundamentals are for those things to be successful 'cause they're physics. There's things that can be sexy and cool way up here, I'm gonna deal with the problem down here at the very lowest level and make it where those things won't work. And then a win is a win, is a win, and work with that.

0:32:21.6 Raghu Nandakumara: Yeah, 'cause ultimately, it's the same things that keep getting exploited, that attackers benefit from. That very rarely has changed.

0:32:31.6 Chase Cunningham: In all of warfare, 'cause cyber is a warfare domain, in all of warfare in history, no one has ever had to be this clear what the enemy is going to do to win, and they still sit around going, "Well, I wonder how we defend this." Come on, man, it's the color with crayons. It's written right here.

0:32:47.5 Raghu Nandakumara: Yeah, exactly, exactly. So it's that time of year where I'm sure you're inundated with requests for, "Hey, Chase, give us your predictions for 2023." I will put you on the spot here, 2023, what does it hold for Zero Trust?

0:33:07.9 Chase Cunningham: I think the biggest thing is you're gonna see more adoption of ZT outside of the US market. That's the only prediction I feel like I can stand on and say that that's probably gonna be realistic, and that's literally because I'm having those conversations with organizations in Latin America, Australia, Japan, India, the UK, the Nordic region. So I think that that's the thing that will continue to grow. Other than that, I would say the majority of it is gonna be the same thing, different day with slightly different shenanigans around it.

0:33:47.1 Raghu Nandakumara: And do you see that acceleration of Zero Trust adoption? Do you see that specifically in public sector or public sector driven? So more sort of io type, edicts coming from governments in other countries or private sector-driven?

0:34:08.2 Chase Cunningham: I think internationally it's gonna be mainly private sector driven. I do think /wink wink have a bit of insight that some stuff is probably coming as far as public directives in the US. But like cyber is kind of a trickle-down space where the US and the DoD are ahead of everyone else or doing the first to the bat type things, and it works its way everywhere. So I think Australia I know has been doing some work around kind of mapping their essential eight to Zero Trust, so I think that there's gonna be some stuff like that, but maybe it'll happen this year, maybe not.

0:33:47.3 Raghu Nandakumara: All right, so before you wrap, you and John, you go and meet each other for a drink and you're swapping of Zero Trust analogies. Who's got a better Zero Trust analogy?

0:35:01.5 Chase Cunningham: It could go either way, honestly, depending on how many drinks we've had to be perfectly frank. Yeah, John's obviously The Godfather, but I threw out some good ones out there once in a while.

0:35:16.3 Raghu Nandakumara: Go on, let's hear one. Let's hear the latest one you've put together.

0:35:21.4 Chase Cunningham: As far as what is Zero Trust? Yeah, I'd say Zero Trust for me is like dating my daughter. I'm gonna know who you are, I'm gonna see what's going on, I'll provide you access to her, I'm gonna monitor what's going on. And then if you do things that are outside the balance of what I would call acceptable, you're gone, that's it.

0:35:42.8 Raghu Nandakumara: Chase, with that, I thank you so much for your time. Everyone listening into this, Chase, Dr. Cunningham, Dr. Zero Trust has his own eponymous podcast, Dr. Zero trust available on all the usual platforms. Go and check it out. It's a regular dose of the most real, the most actionable content on all things cyber, not just Zero Trust, but you get a whole load of Zero Trust goodness as well there. Thank you.

0:36:12.2 Chase Cunningham: Awesome, thanks much.

0:36:15.7 Raghu Nandakumara: Thanks for tuning into this week's episode of The Segment for even more information and Zero Trust resources, check out our website at illumio.com. You could also connect with us on LinkedIn and Twitter at Ilumio, and if you liked today's conversation, you can find our other episodes wherever you get your podcast. I'm your host, Raghu Nandakumara, and we'll be back soon.